System and method for filtering network traffic

US 8,788,823 B1
Filed: 10/22/2004
Issued: 07/22/2014
Est. Priority Date: 09/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

applying an access control rule to a first message, whereinthe first message comprises message information,the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list;

determining whether to perform one or more security actions, whereinthe determining is performed in response to the applying, andthe access control rule indicates whether to perform the one or more security actions; and

performing a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and

selecting to unicast the first message instead of forwarding the first message normally, whereinthe first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server,updating a binding table entry in response to detecting the one or more protocol messages, whereinthe binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, andallocating an entry in the access control list to store access control information, whereinthe access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.

27 Citations

View as Search Results

56 Claims

1. A method comprising:
- applying an access control rule to a first message, whereinthe first message comprises message information,the message information is used to select the access control rule,the access control rule is calculated using protocol status information,the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list;
  
  determining whether to perform one or more security actions, whereinthe determining is performed in response to the applying, andthe access control rule indicates whether to perform the one or more security actions; and
  
  performing a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
  
  selecting to unicast the first message instead of forwarding the first message normally, whereinthe first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server,updating a binding table entry in response to detecting the one or more protocol messages, whereinthe binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, andallocating an entry in the access control list to store access control information, whereinthe access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 50, 51, 52, 53, 54, 55, 56)
- - 2. The method of claim 1, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 3. The method of claim 2, further comprising:
    - providing a message corresponding to the first message to an administrator, in response to determining that the first message should be discarded.
  - 4. The method of claim 1, whereinthe first message is received via the interface identified in the protocol status information, andthe access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 5. The method of claim 1, whereinthe first message is received via the interface identified in the protocol status information, andthe access control rule requires that the first message be dropped unless the message information comprises a MAC source address that matches the MAC address of the client identified in the protocol status information.
  - 6. The method of claim 1, further comprising:
    - updating an entry in the access control list to store information encoding the access control rule, wherein the updating the entry in the access control list is performed in response todetecting that the binding table entry has been updated.
  - 7. The method of claim 1, wherein a second access control rule is stored in the access control list, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by a snooping agent, andaccess control information encoding the second access control rule is stored in a single entry in the access control list.
  - 8. The method of claim 1, whereinthe binding table entry is updated in response to detecting a first protocol message, and the protocol server comprises a DHCP server.
  - 50. The method of claim 1, whereinthe first message is received on an arrival interface that does not match the interface identified in the protocol status information,a second access control rule stored in the access control list requires that the first message be discarded unless the first message is received on the interface that is identified in the protocol status information, andthe first message is discarded, in response to the second access control rulethe message information indicates that the first message was sent by a client via a first virtual local area network (VLAN), andat least one protocol message of the one or more protocol messages is sent from the protocol server to the client via a second VLAN.
  - 51. The method of claim 1, whereinthe message information indicates that the first message was sent by a client via a first virtual local area network (VLAN), andat least one protocol message of the one or more protocol messages is sent from the protocol server to the client via a second VLAN.
  - 52. The method of claim 1, further comprising:
    - performing a second security action, whereinthe access control rule indicates performance of the second security action, in response to a determination that the first protocol message does not correspond to the outstanding protocol request, andthe performing the second security action comprises dropping the first protocol message.
  - 53. The method of claim 1, further comprising:
    - performing a second security action, whereinthe access control rule indicates performance of the second security action, in response to a determination thatthe first message is sent from the protocol server,the first message is received via a first interface, andthe first interface is not coupled to the protocol server, andthe performing the second security action comprisesdropping the first message.
  - 54. The method of claim 1, further comprising:
    - performing a second security action, whereinthe access control rule indicates performance of the second security action, in response to a determination thatthe first message is sent from a second client,the first message is received via a first interface,the first interface is not coupled to the second client, andthe performing the second security action comprisesdropping the first message.
  - 55. The method of claim 1, further comprising:
    - performing a second security action, whereinthe access control rule indicates performance of the second security action, in response to a determination thatthe first message comprises relay information,the relay information is correct,the first message will be output to a next network device, andthe performing the second security action comprisesmodifying the relay information.
  - 56. The method of claim 1, further comprising:
    - performing a second security action, whereinthe access control rule indicates performance of the second security action, in response to a determination thatthe first message comprises relay information,the relay information is correct,the first message will be output to a client, andthe performing the second security action comprisesremoving the relay information.

9. A network device comprising:
- a physical interface configured to receive a first message;
  
  a filtering module, whereinthe filtering module is configured to apply an access control rule to the first message,the first message comprises message information,the filtering module is configured to select the access control rule using the message information, andthe filtering module is configured to determine whether to perform one or more security actions, in response to applying the access control rule to the first message, andperform a first security action for the first message, whereinthe access control rule indicates performance of the first security action, andthe filtering module is configured to select to unicast the first message instead of forwarding the first message normally, whereinthe first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server; and
  
  a binding table, wherein the binding table is configured to store protocol status information, the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server, and the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients; and
  
  an access control list, wherein the access control rule is stored in the access control list,the access control rule is calculated using the protocol status information,and the access control rule indicates whether to perform the one or more security actions;
  
  a snooping agent, whereinthe snooping agent is configured to update a binding table entry in response to detecting the one or more protocol messages,the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client, an access control rule update module, whereinthe access control rule update module is configured to allocate an entry in the access control list to store access control information,the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by the snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message; and
  
  a memory having stored thereon the filtering module, snooping agent, the access control module and the binding table.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network device of claim 9, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 11. The network device of claim 10, whereinthe filtering module is further configured to provide a message corresponding to the first message to an administrator, in response to determining that the first message should be discarded.
  - 12. The network device of claim 9, whereinthe first message is received via the interface identified in the protocol status information, andthe access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 13. The network device of claim 9, wherein the first message is received via the interface identified in the protocol status information, and the access control rule requires that the first message to be dropped unless the message information comprises a MAC source address that matches the MAC address of the client identified in the protocol status information.
  - 14. The network device of claim 9, further comprising:
    - an access control rule update module, whereinthe access control rule update module is configured to update an entry in the access control list to store information encoding the access control rule, in response to detecting that the binding table entry has been updated.
  - 15. The network device of claim 9, wherein a second access control rule is stored in the access control list, the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by the snooping agent, andaccess control information encoding the second access control rule is stored in a single entry in the access control list.
  - 16. The network device of claim 9, whereinthe snooping agent is configured to update the binding table entry in response to detecting a first protocol message, and the protocol server comprises a DHCP server.

17. A system comprising:
- means for applying an access control rule to a first message, wherein the first message comprises message information, and the means for applying comprises means for selecting the access control rule using the message information;
  
  means for obtaining protocol status information in response to means for detecting one or more protocol messages sent between at least one client and a protocol server,wherein the protocol status information comprises protocol information generated by the protocol server, andthe one or more second messages are conveyed according to a protocol used to assign network addresses to clients;
  
  means for storing access control rules, wherein the means for storing access control rules stores the access control rule;
  
  means for calculating the access control rule using the protocol status information,wherein the access control rule indicates whether to perform one or more security actions;
  
  means for storing the protocol status information;
  
  means for determining whether to perform the one or more security actions, in response to the means for applying the access control rule to the first message;
  
  means for performing a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
  
  means for selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination thatthe first message comprises a first protocol message from the protocol;
  
  means for updating a binding table entry in response to the means for detecting the one or more protocol messages, whereinthe binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;
  
  means for allocating an entry in the means for storing access control rules to store access control information, wherein the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by the means for updating the binding table entry.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol information, andthe first message is discarded, in response to the access control rule.
  - 19. The system of claim 18, further comprising:
    - means for providing a message corresponding to the first message to an administrator, in response to determining that the first message should be discarded.
  - 20. The system of claim 17, further comprising:
    - means for receiving the first message via the interface identified in the protocol status information, wherein the access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 21. The system of claim 17, further comprising:
    - means for receiving the first message via the interface identified in the protocol status information, wherein the access control rule requires that the first message be dropped unless the message information comprises a MAC source address that matches the MAC address of the client identified in the protocol status information.
  - 22. The system of claim 17, further comprising:
    - means for updating an entry in the means for storing access control rules that stores information encoding the access control rule, in response to the means for updating the binding table entry.
  - 23. The system of claim 17, wherein the means for storing access control rules stores a second access control rule, the second access control rule further requires that a DHCP message received via any one of a plurality of interfaces be processed by the means for updating the binding table entry, and access control information encoding the second access control rule is stored in a single entry in the means for storing access control rules.
  - 24. The system of claim 17, further comprising:
    - means for updating a binding table entry in response to means for detecting a first protocol message, wherein the protocol server comprises a DHCP server.

25. A computer readable non-transitory storage medium comprising program instructions executable to:
- apply an access control rule to a first message, wherein the first message comprises message information, the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained in response to one or more protocol messages sent between at least one client and a protocol server,the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign network addresses to clients, andthe access control rule is stored in an access control list;
  
  determine whether to perform one or more security actions, in response to applying the access control rule to the first message, wherein the access control rule indicates whether to perform the one or more security actions;
  
  perform a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
  
  select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, andthe selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server;
  
  update a binding table entry in response to detecting the one or more second messages, wherein the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;
  
  allocate an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via the interface identified in the protocol status information be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The computer readable storage medium of claim 25, whereinthe access control rule requires that the first message be dropped unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 27. The computer readable storage medium of claim 26, wherein the program instructions are further executable to:
    - provide a message corresponding to the first message to an administrator, in response to determining that the first message should be discarded.
  - 28. The computer readable storage medium of claim 25, wherein the first message is received via the interface identified in the protocol status information, andthe access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 29. The computer readable storage medium of claim 25, whereinthe first message is received via the interface identified in the protocol status information, andthe access control rule requires the first message to be dropped unless the message information comprises a MAC source address that matches the MAC address of the client identified in the protocol status information.
  - 30. The computer readable storage medium of claim 25, wherein the program instructions are further executable to:
    - update an entry in the access control list to store information encoding the access control rule, wherein the updating the entry in the access control list is performed in response to detecting that the binding table entry has been updated.
  - 31. The computer readable storage medium of claim 25, wherein a second access control rule is stored in the access control list,the second access control rule requires that a DHCP message received via any one of a plurality of interfaces be processed by a snooping agent, andaccess control information encoding the second access control rule is stored in a single entry in the access control list.
  - 32. The computer readable storage medium of claim 25, wherein the binding table entry is updated in response to detecting a first protocol message, and the protocol server comprises a DHCP server.

33. A method comprising:
- applying an access control rule to a first message, wherein the first message comprises message information the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, the one or more protocol messages are conveyed according to a protocol used to assign a network address to a client, and the access control rule is stored in an access control list;
  
  determining whether to perform one or more security actions, wherein the determining is based on a result of the applying, and the access control rule indicates whether to perform the one or more security actions;
  
  performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and
  
  selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server updating a binding table entry in response to detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, and the protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;
  
  allocating an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by a snooping agent, andthe snooping agent is configured to update information in the binding table in response to processing the DHCP message.
- View Dependent Claims (34, 35, 36)
- - 34. The method of claim 33, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 35. The method of claim 33, further comprising:
    - updating an entry in the access control list to store information encoding the access control rule, wherein the first message is received via the interface identified in the protocol status information,the access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information, and the updating the entry in the access control list is performed in response to detecting that the binding table entry has been updated.
  - 36. The method of claim 33, whereinthe binding table entry is updated in response to detecting a first protocol message, and the protocol server comprises a DHCP server.

37. A network device comprising:
- a physical interface;
  
  a binding table, whereinthe binding table is configured to store protocol status information,the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server, andthe one or more protocol messages are conveyed according to a protocol used to assign a network address to a client;
  
  a filtering module coupled to the binding table, wherein the filtering module is configured to apply an access control rule to a first message,the first message comprises message information the filtering module is configured to select the access control rule using the message information, andthe filtering module is configured to determine whether to perform one or more security actions, based on a result generated by applying the access control rule to the first message, perform a first security action for the first message, whereinthe access control rule indicates performance of the first security action, and the filtering module is configured to select to unicast the first message instead of forwarding the first message normally, whereinthe first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server; and
  
  an access control list, wherein the access control rule is stored in the access control list,the access control rule is calculated using the protocol status information,and the access control rule indicates whether to perform the one or more security actions;
  
  a snooping agent, whereinthe snooping agent is configured to update a binding table entry in response to detecting the one or more protocol messages,the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;
  
  an access control rule update module, whereinthe access control rule update module is configured to allocate an entry in the access control list to store access control information,the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by the snooping agent, and the snooping agent is configured to update information in the binding table in response to processing the DHCP message; and
  
  a memory having stored thereon the filtering module, snooping agent, the access control module and the binding table.
- View Dependent Claims (38, 39, 40, 41)
- - 38. The network device of claim 37, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 39. The network device of claim 37, whereinthe first message is received via the interface identified in the protocol status information, andthe access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 40. The network device of claim 37, further comprising:
    - an access control rule update module, whereinthe access control rule update module is configured to update an entry in the access control list to store information encoding the access control rule, in response to detecting that the binding table entry has been updated.
  - 41. The network device of claim 37, whereinthe snooping agent is configured to update the binding table entry in response to detecting a first protocol message, and the protocol server comprises a DHCP server.

42. A system comprising:
- means for applying an access control rule to a first message, wherein the first message comprises message information, and the means for applying comprises means for selecting the access control rule using the message information;
  
  means for obtaining protocol status information from one or more second messages sent between at least one client and a protocol server, wherein the protocol status information comprises protocol information generated by the protocol server, and the one or more second messages are conveyed according to a protocol used to assign network addresses to clients;
  
  means for storing access control rules, wherein the means for storing access control rules stores the access control rule;
  
  means for calculating the access control rule using the protocol status information, wherein the access control rule indicates whether to perform one or more security actions;
  
  means for storing the protocol status information;
  
  means for determining whether to perform the one or more security actions, based on a result of the means for applying;
  
  means for performing a first security action for the first message, wherein the access control rule indicates performance of the first security action; and
  
  means for selecting to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server;
  
  means for updating a binding table entry in response to means for detecting the one or more protocol messages, wherein the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control MAC) address of the client, and an interface coupled to the client;
  
  means for allocating an entry in the means for storing access control rules to store access control information, wherein the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by the means for updating the binding table entry.
- View Dependent Claims (43, 44, 45)
- - 43. The system of claim 42, whereinthe access control rule requires that the first message be discarded unless the message information matches the protocol information, andthe first message is discarded, in response to the access control rule.
  - 44. The system of claim 42, further comprising:
    - means for updating an entry in the means for storing access control rules to store information encoding an access control rule, in response to the means for updating the binding table entry, wherein the access control rule requires that the first message received via the interface be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 45. The system of claim 42, further comprising:
    - means for updating a binding table entry in response to means for detecting a first protocol message, wherein the protocol server comprises a DHCP server.

46. A computer readable non-transitory storage medium comprising program instructions executable to:
- apply an access control rule to a first message, wherein the first message comprises message information the message information is used to select the access control rule, the access control rule is calculated using protocol status information, the protocol status information is obtained from one or more protocol messages sent between at least one client and a protocol server, the protocol status information comprises protocol information generated by the protocol server,the one or more protocol messages are conveyed according to a protocol used to assign a network address to a client, and the access control rule is stored in an access control list; and
  
  determine whether to perform one or more security actions, based on a result generated by applying the access control rule to the first message, wherein the access control rule indicates whether to perform the one or more security actions;
  
  perform a first security action for the first message, whereinthe access control rule indicates performance of the first security action; and
  
  select to unicast the first message instead of forwarding the first message normally, wherein the first message would normally be broadcast, multicast, or flooded to multiple recipients, and the selecting to unicast the first message is performed in response to a determination that the first message comprises a first protocol message from the protocol server;
  
  update a binding table entry in response to detecting the one or more second messages, wherein the binding table entry comprises the protocol status information corresponding to the client, andthe protocol status information identifies an Internet Protocol (IP) address of the client, a Media Access Control (MAC) address of the client, and an interface coupled to the client;
  
  allocate an entry in the access control list to store access control information, wherein the access control information encodes a second access control rule,the second access control rule requires that a Dynamic Host Configuration Protocol (DHCP) message received via any one of a plurality of interfaces be processed by a snooping agent,the snooping agent is configured to update information in the binding table in response to processing the DHCP message.
- View Dependent Claims (47, 48, 49)
- - 47. The computer readable storage medium of claim 46, whereinthe access control rule requires that the first message be dropped unless the message information matches the protocol status information, andthe first message is discarded, in response to the access control rule.
  - 48. The computer readable storage medium of claim 46, wherein the program instructions are further executable to:
    - update an entry in the access control list to store information encoding the access control rule, wherein the updating the entry in the access control list is performed in response to detecting that the binding table entry has been updated, andthe access control rule requires that the first message be dropped unless the message information comprises a IP source address that matches the IP address of the client identified in the protocol status information.
  - 49. The computer readable storage medium of claim 46, wherein the binding table entry is updated in response to detecting a first protocol message, and the protocol server comprises a DHCP server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Huang, Dehua, Sweeney, Adam J., Sudame, Pradeep S., Dobrota, Silviu, Jonnala, Premkumar
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
WANG, HARRIS C

Application Number

US10/971,523
Time in Patent Office

3,560 Days
Field of Search

713/170
US Class Current

713/170
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/10 for controlling access to d...

System and method for filtering network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for filtering network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links